06 Apr, 2023

Multicast Domain Name System (MDNS)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

MDNS (Multicast Domain Name System) uses multicast DNS messages to discover and resolve the IP addresses of devices on a local network. This allows devices to be easily discovered and communicated with on a local network without the need for a central DNS server. 

MDNS common ports

Port 5353: This port is used by the mDNS protocol itself for sending and receiving multicast DNS packets.

Port 5355: This port is used by the DNS-SD (DNS Service Discovery) protocol, which is built on top of mDNS. DNS-SD allows devices to advertise and discover network services such as printers, file servers, and media players.

Standard commands from unauthorized users

Protocol used for discovering and resolving hostnames and IP addresses in a local network. The standard commands for mDNS can vary depending on the specific implementation and network setup, but here are some examples of commonly used commands:

Query for a specific hostname: An unauthorized user can use an mDNS query to search for a specific hostname in the network. For example, they can send a query for the hostname “printer.local” to find out if there is a printer with that name on the network.

Broadcast a query for all available services: An unauthorized user can broadcast an mDNS query to search for all available services on the network. This can reveal the presence of various devices and services on the network.

Spoof mDNS responses: An unauthorized user can also try to spoof mDNS responses to redirect network traffic to a malicious device or service. For example, they can send a spoofed response for a popular service like “apple-tv.local” to redirect traffic to their own device.

Tools for using protocol MDNS

Manual Tools:

  • mDNSResponder: This is a command-line tool for testing mDNS on macOS and Linux systems. It can be used to query and register mDNS services.

  • mdns-scan: A Linux command-line tool that allows you to scan the local network for mDNS services and hosts.

  • Avahi: A free implementation of the mDNS and DNS-SD protocols for Linux and BSD systems. It includes command-line tools for testing mDNS.

  • Bonjour Browser: A GUI-based tool for macOS that allows you to browse and query mDNS services on your local network.

  • dns-sd: A command-line tool for querying mDNS and DNS-SD services on macOS and Linux systems.

  • mdns-repeater: A Linux command-line tool that allows you to forward mDNS traffic between networks.

  • mDNSWatch: A tool for monitoring mDNS traffic on Windows systems.

  • mDNS-ping: A command-line tool for sending mDNS ping packets and testing mDNS responses on Linux systems.

  • dns-sd-proxy: A Linux command-line tool that acts as a proxy for mDNS and DNS-SD traffic between networks.

  • multicast-dns: A Node.js module for testing mDNS on Linux and macOS systems.

Automated Tools:

  • nmap: A popular network exploration and security auditing tool that includes support for mDNS and DNS-SD discovery.

  • Metasploit Framework: A powerful open-source framework for penetration testing that includes modules for testing mDNS and DNS-SD services.

  • Kali Linux: A popular Linux distribution for penetration testing that includes a variety of tools for testing mDNS and other network protocols.

  • The Sleuth Kit: A collection of command-line tools for digital forensics and investigation that includes support for analyzing mDNS traffic.

  • Wireshark: A popular network protocol analyzer that can be used to capture and analyze mDNS traffic on various platforms.

  • BonjourJolie: A browser plugin for Firefox on macOS that provides similar functionality to the Bonjour Browser Plugin.

  • Bonjour Print Services Plugin: A browser plugin for Windows that allows you to discover and print to Bonjour-enabled printers.

  • Bonjour for Windows: A software package for Windows that includes support for mDNS and DNS-SD discovery.

  • Zeroconf Neighborhood Explorer: A browser plugin for Internet Explorer on Windows that allows you to browse and query mDNS services from within the browser.

Last five known CVE for MDNS 

CVE-2022-25749 – Transient Denial-of-Service in WLAN due to buffer over-read while parsing MDNS frames. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

 CVE-2022-20682 – A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating multicast DNS (mDNS) queries. An attacker could exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, which would flow through and be processed by the wireless controller. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition.

 CVE-2021-1439 – A vulnerability in the multicast DNS (mDNS) gateway feature of Cisco Aironet Series Access Points Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation of incoming mDNS traffic. An attacker could exploit this vulnerability by sending a crafted mDNS packet to an affected device through a wireless network that is configured in FlexConnect local switching mode or through a wired network on a configured mDNS VLAN. A successful exploit could allow the attacker to cause the access point (AP) to reboot, resulting in a DoS condition.

 CVE-2020-6080 – An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through the function rr_read_RR [5] reads the current resource record, except for the RDATA section. This is read by the loop at in rr_read. For each RR type, a different function is called. When the RR type is 0x10, the function rr_read_TXT is called at [6].

 CVE-2020-6079 – An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability through decoding of the domain name performed by rr_decode.

Useful information

– mDNS uses IP multicast to transmit DNS messages over the local network. This means that mDNS packets are only sent to devices on the same network segment, making it a more efficient and localized way of discovering network services.

– mDNS is often used in conjunction with DNS-SD (DNS Service Discovery), which allows devices to advertise and discover network services such as printers, file servers, and media players. DNS-SD is built on top of mDNS and uses the same multicast packets to discover services.

– mDNS is designed to operate on both wired and wireless networks, making it a flexible and versatile protocol for discovering network services.

– mDNS can be used to discover services on both IPv4 and IPv6 networks. It supports both types of IP addresses and can be configured to use either one.

– mDNS packets are sent using User Datagram Protocol (UDP) rather than Transmission Control Protocol (TCP). This means that they are connectionless and do not guarantee delivery of packets, but in practice, this is not usually a problem for local networks.

– mDNS is supported by many operating systems, including macOS, Windows, Linux, and iOS. This makes it a widely used and interoperable protocol for discovering network services.

– To use mDNS, devices must support the protocol and be configured to use it. This usually involves enabling mDNS on the device and configuring it with a domain name.

– mDNS can be used to discover devices and services on a network without relying on a centralized naming system. This makes it a useful tool for home automation, Internet of Things (IoT), and other applications where devices need to communicate with each other without relying on a server.

– mDNS can be a useful troubleshooting tool for network administrators. By using tools like Wireshark, administrators can capture and analyze mDNS packets to diagnose problems with network services.

Known banners

Apple Inc.: Apple devices often advertise mDNS services using banners that include the string “_apple-mobdev2._tcp.local”. This indicates that the device is using Apple’s Bonjour protocol to advertise services on the network.

Google Chromecast: Chromecast devices advertise mDNS services using banners that include the string “_googlecast._tcp.local”. This indicates that the device is advertising its Chromecast service on the network.

Amazon Echo: Amazon Echo devices advertise mDNS services using banners that include the string “_amzn-wplay._tcp.local”. This indicates that the device is advertising its wireless audio playback service on the network.

Sonos: Sonos devices advertise mDNS services using banners that include the string “_sonos._tcp.local”. This indicates that the device is advertising its Sonos service on the network.

Roku: Roku devices advertise mDNS services using banners that include the string “_roku._tcp.local”. This indicates that the device is advertising its Roku service on the network.

Philips Hue: Philips Hue devices advertise mDNS services using banners that include the string “_hue._tcp.local”. This indicates that the device is advertising its Hue service on the network.

Logitech Harmony: Logitech Harmony devices advertise mDNS services using banners that include the string “_logitech-harmony._tcp.local”. This indicates that the device is advertising its Harmony service on the network.

Books for studies MDNS

“Zero Configuration Networking: The Definitive Guide” by Daniel Steinberg and Stuart Cheshire: This book provides a comprehensive overview of Zero Configuration Networking (Zeroconf), which includes mDNS. It covers the basics of mDNS and how it works, as well as other protocols like Link-Local Multicast Name Resolution (LLMNR) and DNS-Based Service Discovery (DNS-SD). It also includes practical examples and code samples for implementing Zeroconf in your own projects.

“Bonjour Programming Guide: for Mac OS X” by Apple Inc.: This guide, published by Apple, provides a detailed overview of Bonjour, which is Apple’s implementation of mDNS. It covers the basics of mDNS and how it works, as well as how to use Bonjour in macOS applications. It includes code examples and practical advice for building applications that use Bonjour.

“Multicast DNS: Design and Implementation” by Stuart Cheshire: This book provides an in-depth look at the design and implementation of mDNS. It covers the history of mDNS, the technical details of how it works, and practical advice for implementing mDNS in your own projects. It also includes case studies and real-world examples of how mDNS is used in different applications.

“Networking for Systems Administrators” by Michael W. Lucas: This book provides a comprehensive overview of networking concepts for systems administrators. It includes a chapter on Zeroconf, which covers mDNS and other related protocols. It provides practical advice for configuring and troubleshooting Zeroconf on different operating systems.

“Zeroconf: Networking in the Digital Age” by Stuart Cheshire: This book provides a detailed overview of Zeroconf, which includes mDNS. It covers the history of Zeroconf, the technical details of how it works, and practical advice for implementing Zeroconf in your own projects. It also includes case studies and real-world examples of how Zeroconf is used in different applications.

List of Payload for MDNS

Query message payload: This payload is used to initiate an mDNS query for a specific service or device on the network. It typically includes the name of the service being queried and the type of query being made (e.g. “A” for IPv4 address, “AAAA” for IPv6 address, or “PTR” for a reverse lookup query).

Response message payload: This payload is used to respond to an mDNS query and provide information about a particular service or device on the network. It typically includes the name of the service being advertised, the type of service (e.g. “_http._tcp”), and the IP address and port number of the device offering the service.

Announcement message payload: This payload is used to advertise a service or device on the network. It typically includes the name of the service being advertised, the type of service, the IP address and port number of the device offering the service, and any additional metadata about the service.

Goodbye message payload: This payload is used to indicate that a service or device is no longer available on the network. It is typically sent when a device is shutting down or when a service is being removed from the network.

Probe message payload: This payload is used to determine if a particular name is already in use on the network. It is typically sent before advertising a new service to avoid conflicts with existing services.

Proxy query message payload: This payload is used to forward an mDNS query from one network segment to another. It is typically used in larger networks that have multiple subnets.

Mitigation

  1. Disable mDNS if not needed: If mDNS is not necessary for your network or applications, consider disabling it altogether. This can be done by configuring network devices to block mDNS traffic.

  2. Segment your network: Segmenting your network into smaller subnets can help reduce the impact of mDNS traffic. By limiting the scope of mDNS traffic to specific subnets, you can reduce the risk of malicious actors exploiting mDNS vulnerabilities.

  3. Implement network access control: Implementing network access control (NAC) can help prevent unauthorized devices from accessing your network. By restricting access to only authorized devices, you can reduce the risk of malicious actors using mDNS to gain access to your network.

  4. Use firewalls: Firewalls can be used to block mDNS traffic from entering or leaving your network. By configuring firewalls to block mDNS traffic, you can reduce the risk of malicious actors using mDNS to exploit vulnerabilities in your network.

  5. Implement DNSSEC: DNS Security Extensions (DNSSEC) can be used to secure DNS queries and responses, including those used by mDNS. By implementing DNSSEC, you can reduce the risk of malicious actors intercepting or modifying mDNS traffic.

  6. Keep software up to date: Keeping software up to date with the latest security patches and updates can help reduce the risk of mDNS vulnerabilities being exploited by malicious actors. This includes both network devices and applications that use mDNS.

Conclusion

The Multicast Domain Name System (mDNS) protocol is a valuable tool for service discovery on local networks. It enables devices to discover and communicate with each other without the need for a central server or configuration. However, like any network protocol, mDNS can also pose security risks if not properly secured.

Some potential security issues related to mDNS include unauthorized access to services, denial of service attacks, and network reconnaissance. To mitigate these risks, it is important to implement appropriate security measures, such as disabling mDNS when not needed, using firewalls and access control lists to restrict access to mDNS services, monitoring network traffic for suspicious activity, and keeping software up-to-date to address security vulnerabilities.

Other Services

Ready to secure?

Let's get in touch